On Thu, 2008-05-15 at 14:29 -0700, Jeffrey Nonken wrote:
> http://www.linux.com/feature/135270
This paragraph is probably wrong:
> ﻿Debian and derivative distribution users can use the apt-get upgrade
> command to replace vulnerable keys on their systems, and Ubuntu users
> applying the security patches which appeared yesterday will have their
> weak keys replaced automatically, but as Moore points out, that
> doesn't solve the problems caused by weak keys being used to sign
> certificates or copied to other servers.
More detailed information is available at http://wiki.debian.org/SSLkeys
Note that the vulnerability meant that only 2^15 different keys of each
size were being generated. This is an incredibly small number, and I'm
sure many hackers have dictionaries of the entire key set now to break
in to systems with affected authorized_keys files.
_______________________________________________
vox-tech mailing list
vox-tech@lists.lugod.org
http://lists.lugod.org/mailman/listinfo/vox-tech